Happy Trails Computer Club

Part 2. Handle Attachments Safely
Part 1. Understand the Hazards of Attachments tells you what to look out for. This page -- Part 2. -- describes the initial process for attachments. Part 3. Handle Files Safely takes the process further and describes how to work safely with the files themselves.

You've learned there are many ways that an attachment can ruin your whole day. If you missed that part, go back to Part 1. Understand the hazards of email attachments. If you've already been there put your knowledge to work, starting here in Part 2. There are more suggestions in Part 3 -- handling files safely.

Part 2. How to handle attachments safely -- overview

Cardinal rule: Never, ever open an email attachment that you have any doubts about -- even if it's addressed directly to you and comes from someone you know. Always check with the sender directly -- most worms appear to come from someone you know these days -- make sure they intended to send the attachment. Just send them an email and ask what it's all about -- and even then be cautious. If you're satisfied with how they got the file, it's probably OK.

Weed out obviously bogus messages and attachments first

You need to examine messages and attachments as a whole, not separately. Sometimes attachment details -- size, name or extension -- combined with the nature of the message will tell you they're bogus. Usually there's a whiff of something not quite right. If something is fishy just delete the message, along with the attachment, and get on with your life.

HTML attachments (filename.htm or filename.html) are a special case. Depending on how the message was composed, and on its size, email clients will show some HTML messages as attachments. Others will be displayed directly with no attachment. Either one can have malicious content though. [exceptions]

Many malicious attachments appear to come from a legitimate address, or from someone you know. Be suspicious of any attachment that you were not expecting -- even though it's from someone you know. Be paranoid about attachments from anyone you don't know.

Questions to ask about the ones that remain

I tried to capture the thinking process that I use to deal with messages and attachments by creating this list of questions. I actually don't simply go down the list in order, although that's the way to learn the logic. I more or less ask the questions in parallel. I suggest that you try following the steps explicitly a few times to get a feel for how to think about messages and when to open attachments.
  1. Did the person who sent the message struggle with grammar, spelling or punctuation? Yes? Just delete the whole thing -- unless it passes Question 7. below. If not, continue back here at Question 2.

  2. Is there anything inconsistent about the message, who it's from, address it's from, the subject, the kind of attachment, the file name? why you would get such a message, etc.? Yes? Just delete it and get on with your life.

  3. Can I live without what this attachment offers, even though I'm curious? Yes? Delete it.

  4. Is there something here that's so attractive that I'm willing to take a risk? No? Why are you waiting? Delete it, you'll get over it. Yes? Proceed to Question 5.

  5. Does the message appear to come from someone I know? Yes? Well then, it's easy to check to see if and why they sent the attachment, eh? If it checks out, skip ahead to Question 7. If it's not from someone you know, proceed to Question 6.

  6. Is the message well written, convincing and reasonable, and do you feel that the attachment is safe enough to risk opening?

    No? I'd just delete the message. If you decide to explore it anyway, proceed (very carefully) to Part 3. Safe file handling. Work your way down the page. You should end up at "Working with files that you don't fully trust". Do not continue to Question 6. on this page. [This is beginning to sound like an income tax form, eh?]

    Yes? Don't do anything yet. You don't know this person from Adam (or Eve as the case may be). Maybe you should go back to Question 3 again. Otherwise, proceed to Part 3. Safe file handling. Work your way down the page. You should end up at "Working with files that you think you can trust".

  7. Is everything about the message consistent? Have you received messages exactly like this one before? From the same address, the same person, the same or related subject, the same kind of message, the same kind of attachment? Yes? Go on to the next segment.

    If the answer to Question 7. is no, do not go on to the next segment. Proceed to Part 3. Safe file handling. Work your way down the page. You should end up at "Working with files that you think you can trust".

When you are "sure" the attachment is safe

You can be more relaxed about opening many of the attachments you receive. They'll pass the test clear through Question 7. above. Life is too short to be completely paranoid. Just open the attachment. Some of my examples:
  1. HTML files attached to newsletters that I receive regularly make up the bulk of "safe" attachments that I receive.

  2. Personal (not the "forwarded kind") digital pictures from people who send them regularly.

  3. Software updates from a specific source at a specific time that I know about in advance.

  4. For some reason, some of my email arrives with the content in a text file (*.txt). You want to be sure these are really text files before you open them.

    I've opened many attachments like these examples without a second thought, and have never had a problem.

When you're not sure the attachment is safe

Never simply "double-click" or "right-click > open" an attachment you're not sure of. That will immediately activate any malicious content. If you've decided you want to open it anyway, proceed to Part 3. Safe file handling, and find out how to open it safely.

If the steps above seem too Draconian, there's an alternative that seems to offer nearly the same protection. "Benign" from Firetrust is a program that neutralizes email. It should be more effective than an antivirus program. I've never tried it, but the method seems sound. However, it will only work with normal "POP" email, not with "Web mail".

| 1. hazards of attachments | 2. handle attachments safely | 3. handle files safely |
"Never open an email attachment on the first date!" -- Fred Langa
club stuff
   lost? > index
attack vectors
   web sites
   #  2  3
safe settings
   email client
safe practices
   file handling
defense tools
defense tests